Password Change Post Processing

Passwordstate includes PAM functionality as part of the core software.  This allows you to perform on-demand or scheduled Password Validations (heartbeats) and Resets across multiple different systems or platforms.  You can also perform on-demand or scheduled Account Discoveries and automatically import accounts into a Password List, with or without first resetting the password for each account.  For a list of supported systems please refer to our webpage here

In addition to performing Resets on accounts, you can also perform actions post the reset of the password.  What type of activities you can perform is up to you and your ability to write PowerShell scripts.

Example Use Case

As an example, Click Studios maintains a Change Management listing of all Password Resets on Service Accounts.  The way this works in our environment is that once a Password Reset is automatically performed on a Service Account, we run a PowerShell script to send an email to a PC running a program, that extracts the details from the email and updates a Change Management register of all resets on Service Accounts. 

It’s a rudimentary approach but works well as a sanity check for updates in our QA environment and proof that the post processing functionality is working correctly.  This same script has been replicated in our Demonstration Passwordstate instance for this blog.

Location Of PowerShell Script

In our example use case outlined above, we’ve first created a PowerShell script by navigating to Administration->PowerShell Scripts and clicked on the Password Resets button, 

This takes us to the Password Reset Scripts screen.  Here we’ve previously created the script called Update CM_Service_Account_Password_Events,

You can see that the script has been used 4 times by looking at the figure under Usage Counter in the display grid.  By clicking on the name for the script (it’s actually a hyperlink), the editor opens allowing you to create or edit the script,

This PowerShell script creates and sends an email to a specific email address.  What is sent is the details associated with the Password Record that has changed.

To specify that a Password Record uses the PowerShell script post the password being changed, we navigate to the Password List containing the Password Records for our Service Accounts.  In the example use case they are located in the Password List Active Directory Accounts, located under Passwords->Infrastructure.  Then we select the Service Account we want to Add Dependency to, click on the Action icon and choose View Password Reset Dependencies.  You are now on the Password Reset Dependencies screen for the specific Password Record and need to click on Add Dependency,

From here on the Add Dependency screen we select the Post Reset Script Update CM_Service_Account_Password_Events from the drop down list (note the suffix of .PS1 is not shown here),

Now every time the Password is changed on that specific Password Record the Post Reset Script will execute and email the changed details through to our Change Management register.

If you’d like to share your feedback please send it through to